microsoft

Microsoft Defender for Endpoint (MDE) Platform-Specific Antivirus Engines and Unified Security Intelligence Versioning

Carlos A Lopez (Twitter: @CLopezDC) Office365 , , , ,

Microsoft Defender, the enterprise-grade antivirus and endpoint protection solution, is designed to operate seamlessly across multiple platforms including Windows, Linux, macOS, Android, and iOS. To ensure optimal performance and threat detection, Microsoft employs platform-specific engines and a unified versioning system for Security Intelligence Updates. This blog explores these two critical aspects in detail.

Platform-Specific Antivirus Engines

Each operating system has unique characteristics, system calls, file structures, and threat vectors. To address these differences, Microsoft Defender uses platform-specific antivirus engines tailored to the environment in which they operate:

Windows

  • Engine: Uses the full-featured Microsoft Defender Antivirus engine.
  • Integration: Deeply integrated with the Windows OS, leveraging features like AMSI (Antimalware Scan Interface), Windows Security Center, and Kernel-mode scanning.
  • Update Mechanism: Utilizes Windows Update and Microsoft Update services for seamless delivery of engine and definition updates.

Linux

  • Engine: A lightweight, command-line based engine optimized for server environments.
  • Integration: Designed to work with Linux file systems and daemon processes.
  • Update Mechanism: Uses Microsoft’s Linux software repositories and package managers like apt or yum for updates.

macOS

  • Engine: Tailored to macOS architecture with support for real-time protection and on-demand scanning.
  • Integration: Works with Apple’s system extensions and endpoint security framework.
  • Update Mechanism: Updates are delivered via Microsoft AutoUpdate (MAU).

Android

  • Engine: Focuses on app scanning, web protection, and device compliance.
  • Integration: Integrates with Microsoft Intune and Google Play Protect.
  • Update Mechanism: Updates are pushed through the Google Play Store and Microsoft Endpoint Manager.

iOS

  • Engine: Designed to provide app protection, phishing protection, and compliance checks.
  • Integration: Works with Microsoft Intune and leverages Apple’s Mobile Device Management (MDM) framework.
  • Update Mechanism: Updates are managed via the App Store and Microsoft Endpoint Manager.

Unified Security Intelligence Versioning Across Platforms

Despite the differences in engines and update mechanisms, Microsoft Defender employs a unified versioning system for its Security Intelligence Updates. This system ensures consistency and simplifies management across diverse environments.

Key Features of Unified Versioning

  • Consistent Version Numbers: All platforms share the same version number format (e.g., 1.405.1234.0).
  • Tailored Content: While the version number is consistent, the actual update content is customized per platform. For example, a definition update on Windows may include AMSI-specific signatures, while the Linux version may focus on file-based threats.
  • Simplified Management: IT administrators can track and verify update deployment across all endpoints using a single versioning scheme.

Benefits

  • Cross-Platform Visibility: Unified versioning enables centralized monitoring and reporting.
  • Operational Efficiency: Reduces complexity in update validation and compliance.
  • Improved Security Posture: Ensures all devices are protected with the latest threat intelligence.

Additional Resources

For more detailed information on Microsoft Defender Security Intelligence Updates and platform-specific release notes, refer to the official documentation:

By leveraging platform-specific engines and a unified versioning system, Microsoft Defender ensures robust, consistent, and efficient protection across all major operating systems.

Defender for Server without Azure ARC – “Arc-less”.

Carlos A Lopez (Twitter: @CLopezDC) Office365 , , , ,

Licensing Model Migration Plan

Summary

Organizations can now deploy Endpoint Detection and Response (EDR) without Azure Arc. This option is perfect for customers with mixed and hybrid server environments who want to consolidate protection under the Defender for Servers licensing model. The new “arc-less” capability is a tenant-level setting that automatically switches the licensing model from a billable SKU (Microsoft Defender for Endpoint for Server) to consumption in Azure using Defender for Cloud (either P1 or P2), without additional agent deployments. This means that we can deploy Defender for Endpoint from the Microsoft 365 Defender portal using the onboarding package or script, with billing and licensing being managed through Azure/Defender for Server, and without the need for additional agents, extensions, or products.

Direct onboarding integrates Defender for Endpoint with Defender for Cloud without additional software on your servers. Once enabled, it displays non-Azure server devices in Defender for Cloud under a designated Azure Subscription (for licensing, billing, alerts, and security insights) and in the Microsoft Defender Portal. Note that this “arc-less” mechanism does not include server management capabilities like Azure Policy or Guest configuration. For those additional features, the use of Azure Arc agent is required.

Switching from Direct onboarding to Azure Arc incurs no additional cost (Unless changing from P1 to P2). If you need to collect logs via AMA or use other unsupported features, you can install the Azure Arc agent without offboarding from Defender for Endpoint.

Simplified step-by-step guidance to Transitioning from MDE SKU to Defender for Server P1/P2

  1. Create a new subscription or identify which current subscription will be used for MDE integration.
  2. Enable Defender for Server P1/P2 licenses in the selected subscription
  3. Enabled Direct Onboarding in the subscription
    1. If Defenders for Servers is off for this subscription when Direct Onboarding is Enabled – Defenders for Servers P1 will be enabled for it automatically
  4. Continue onboarding the server to Microsoft Defender for Endpoint using the onboarding script via GPO or SCCM or the current onboarding mechanisms.
  5. All server will be automatically added into the designated subscription only for licensing applications.

How to Enable Defender for Server with Direct Onboarding and a Designated Subscription

  1. Go to Defender for Cloud > Environment Settings > Direct onboarding.
  2. Switch the Direct onboarding toggle to On.
  3. Select the subscription you would like to use for servers onboard directly with Defender for Endpoint.
  4. Select Save.

Enhancing Vulnerability Management with Microsoft Defender for Endpoint (finding the installation path of each software)

Carlos A Lopez (Twitter: @CLopezDC) Office365 , , , ,

In the fast-paced digital world, strong vulnerability management is key to solid cybersecurity. Our goal is to equip organizations with top-notch tools and practices to protect their digital assets. Recently, customers have asked about locating the installation path of their vulnerable software in their setups. Using Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud, we can provide this information.

Installation Path Insights

A crucial part of our vulnerability management is offering detailed insights into software installation paths. Microsoft Defender Vulnerability collects this data, which administrators can access via KQL (Kusto Query Language). For example, KQL queries can efficiently find paths for essential software like Chrome.exe. These queries help create thorough summaries for assessing and managing vulnerabilities.

Unified Data Capture

The insights are derived from data collected across all devices utilizing the existing MDE components implemented by our clients. This integrated method guarantees a consistent and thorough understanding of the software environment, allowing us to detect possible vulnerabilities more efficiently. The collected data is easily accessible for querying, giving our clients the ability to customize their vulnerability management strategies according to their unique requirements.

Defender for Cloud Integration

Besides MDE, all servers using Microsoft Defender for Cloud provide detailed insights in the console. This setup uses the same data and sensors as Defender for Endpoint but presents it in a more user-friendly way, improving clients’ capability to track and manage vulnerabilities across their IT systems.

Conclusion

By leveraging the power of Microsoft Defender for Endpoint and Microsoft Defender for Cloud, we empower our clients to proactively manage vulnerabilities and protect their digital assets.